MITRE has released its 2024 ATT&CK Evaluation: Enterprise results, with ThreatDown alerting customers to each step of the infection chain without creating a lot of noise. 

The evaluation tested 19 vendor solutions against covert ransomware behavior, such as the abuse of legitimate tools (living off the land), data encryption, and disabling critical services or processes.  

MITRE used customized signed and unencrypted executables in combination with legitimate tools that are present in most network environments. Effective protection against these type of attacks requires vendors to find a balance between alerting customers about suspicious behavior without creating too much “noise.” 

Noise is defined by MITRE as both: 

• False positives: when a benign activity is flagged as adversary activity. 

• True negatives: alerts where benign activity is flagged as non-malicious. 

Too much noise will have a negative effect when security teams must look at all the alerts and may miss the true positives because of it. 

For comparison, ThreatDown generated 504 alerts, whereas the average for the 19 vendors was over 60,520 alerts.

2024 MITRE ATT&CK® Evaluation results 

In the tested scenarios, ThreatDown raised an alert in every step of the attack scenario, which means that with default settings, customers would receive at least one valid alert for every step. ThreatDown managed this without creating a lot of noise. 

This means the ThreatDown EDR tool was able to convert telemetry into actionable threat detections “out of the box” for parts of each step. 

Analyzing the MITRE ATT&CK® Evaluation results 

Larger organizations with more advanced security teams, for example, might find the test particularly useful given its focus on the abuse of legitimate tools, which are harder to control and to spot in a larger environment. 

As small and medium businesses go through the data available in MITRE Engenuity’s evaluation portal, they should keep in mind several other important questions, such as: Who will be using the tool evaluated by MITRE? Is it easy to use? Does it have too many unnecessary features for my security goals? Does it require a lot of fine-tuning to achieve the goals? 

Additional questions to consider asking include: 

• Would the attack have been stopped at step one in a real-world scenario? 

• Does this type of attack apply to my business? Since the test was against ransomware, the answer will be yes for most. 

• Do I need to detect 100% of these sub steps to be 100% protected? 

So, while the MITRE ATT&CK Evaluation is undoubtedly important, its results are best considered alongside other independent tests such as MRG Effitas, G2 peer-to-peer evaluations, and more. 

Try ThreatDown powered by Malwarebytes today 

We invite organizations to check out the full 2024 ATT&CK Evaluation results on MITRE’s official website.

Learn more about ThreatDown’s solutions today by clicking the button below: